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DETAILED ACTION 

■ Applicant's submission for RCE filed on 1/1 1/2008 has been entered. Claims 1 , 2, 9, 21 , 22, 
27-33 are pending. Applicant has amended claims 1, 2, 21, and 27 and added claims 31-33. 

■ Examiner acknowledges clarification of claims 1 and 21 which were objected to because 
certain new limitations were not considered to be clearly defined/supported in the original 
disclosure. Applicant has now pointed out how these limitations are supported by the original 
disclosure. As a result, claims objection on claims 1 and 21 is withdrawn. 



Election/Restrictions 

1 . Newly submitted claims 31 -33 are directed to an invention that is independent or distinct from 
the invention originally claimed for the following reasons: 

I. Claims 1 , 2, 9, 21 , 22, 27, 28, 29, and 30 are drawn to provide a security status of an 
on-line service comprising verification service that host and controls contents of the web 
object, wherein the verification service determines multiple verification operation (e.g. 
first and second verification operation) prior to the visitor's access request, wherein the 
multiple verification operation determine by comparing a fingerprint of a new 
vulnerability to a stored list of the devices and services and without performing an actual 
scan or test of the device and services, classified in Class 713, subclass 188. 

II. Claims 31-33 are drawn to method for scanning plurality of on-line services (e.g. first 
on-line service, second on-line service), wherein the plurality of on-lines services having 
a publicly accessible web-site at various IP address respectively and storing respective 
lists of the determined device, services and web page objects for the plurality of on-line 
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services, wherein the web page objects accessible on the public Internet via IP 
addresses that are unrelated to the various IP address of the websites and providing 
visitor access to the web-sites and thereby providing the security status of the plurality 
of on-lines services, classified in Class 726, subclass 22. 
The inventions are distinct from the other because inventions I, and II are related as 
subcombinations disclosed as usable together in a single combination. The subcombinations are 
distinct from each other if they are shown to be separately usable. In the instant case, Invention I has 
separate utility involving verification service that host and controls contents of the web object, wherein 
the verification service determines multiple verification operation (e.g. first and second verification 
operation) prior to the visitor's access request, wherein the multiple verification operation determine 
by comparing a fingerprint of a new vulnerability to a stored list of the devices and services and 
without performing an actual scan or test of the device and services, Invention II has separate utility 
involving method for scanning plurality of on-lines services (e.g. first on-line service, second on-line 
service), wherein the plurality of on-lines services having a publicly accessible web-site at various IP 
addresses respectively and storing respective lists of the determined device, services and web page 
objects for the plurality of on-line services, wherein the web page objects accessible on the public 
Internet via IP addresses that are unrelated to the various IP address of the websites and providing 
visitor access to the web-sites and thereby providing the security status of the plurality of on-lines 
services. 

See MPEP §806.05(d). Because these inventions are distinct for the reasons given above and 
have acquired a separate status in the art as shown by their different classification, restriction for 
examination purposes as indicated is proper. 
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Since applicant has received an action on the merits for the originally presented invention, this 
invention has been constructively elected by original presentation for prosecution on the merits. 
Accordingly, claims 31-33 are withdrawn from consideration as being directed to a non-elected 
invention. See 37 CFR 1 .142(b) and MPEP § 821 .03. 



Double Patenting 

2. The nonstatutory double patenting rejection is based on a judicially created doctrine grounded 
in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise 
extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple 
assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the 
conflicting claims are not identical, but at least one examined application claim is not patentably 
distinct from the reference claim(s) because the examined application claim is either anticipated by, 
or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 
USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In 
re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 
761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 
418 F.2d 528, 163 USPQ 644 (CCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1 .321 (c) or 1 .321 (d) may be used 
to overcome an actual or provisional rejection based on a nonstatutory double patenting ground 
provided the conflicting application or patent either is shown to be commonly owned with this 
application, or claims an invention made as a result of activities undertaken within the scope of a joint 
research agreement. 

Effective January 1 , 1994, a registered attorney or agent of record may sign a terminal 
disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b). 

Claims 1 , 2, 9, 21 , 27, 28, 29 and 30 are provisionally rejected on the ground of nonstatutory 
obviousness-type double patenting as being unpatentable over claims 1 , 2, 9, 39 and 40 of copending 
Application No. 1 0/1 1 3875 in view of Khaishgi et al. (US 6,658,394 B1 ), hereinafter Khaishgi. 

Regarding Claims 1, the only difference between claim 1 of the '878 patent application and 
claim 1 of the '875 patent application is that the pending application '875 has an additional limitation 
of "wherein when the verification service cause the web page object to have at least one of the first 



Application/Control Number: 10/674,878 



Page 5 



Art Unit: 2135 

and second contents, the web page object appears invisible to the visitor after it is rendered by the 
visitor's browser". However, Khaishgi discloses this additional limitation (at Column 4, lines 54-57, "In 
one configuration, seal issuer 8 generated a media object having a transparent image when the 
corresponding merchant 4 loses its certification status, In this manner, the seal "disappears" from the 
merchant web site"). Therefore, it would have been obvious at the time the invention was made to 
one of ordinary skill in the art to modify claim 1 of '855 to have the web page object appear invisible to 
the visitor so that "the seal "disappears" from the merchant web site" (Khaishgi, Column 4, lines 54- 
57). This act illustrate that the seal is no more verified or the merchant failed to verity itself during re- 
verification process. 

Claim 21 has identical limitation of claim 1 with the different statutory category (method steps). 
Therefore, it is also rejected under same rationale. 

Claims 2 and 27, are identical in scope to claim 2 of '875. 

Claims 9 and 28, are identical in scope to claim 9 of '875. 

Claim 29 is identical in scope to claim 39 (with just a different statutory category). 

Claim 30 is identical in scope to claim 30 (with just a different statutory category). 

The mapping of the rejected claims in the present application to the copending application is 
follows: 

Present Application (1 0/674878) Co-Pending Application (10/1 1 3875) 



1 



1 



2 



2 



9 



9 



21 



1 
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27 



2 



28 



9 



29 



39 



30 



40 



This is a provisional obviousness-type double patenting rejection because the conflicting 
claims have not in fact been patented. 

Response to Amendment 

3. Applicant has amended independent claims 1 and 21 , which necessitated new grounds of 
rejection. See rejection above. 



4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 
102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the 
subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill 
in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 



Claims 1 , 2, 9, 21 , 22, and 27-30 are rejected under 35 U.S.C. 103 (a) as being unpatentable 
over Khaishqi et al. (US 6,658,394 B1 ), hereinafter "Khaishqi" in view of Bates et al. (US 6,721 ,721 
B1 ), hereinafter "Bates" and further in view of Bunker, V et al. (US 2003/0028803), hereinafter 
"Bunker". 



Claim Rejections - 35 USC § 103 
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Regarding Claims 1 and 21 Khaishgi discloses an apparatus and corresponding method for 
providing a security status of an on-line service, comprising: 

a web page object (Column 1 , lines 26-28, "electronic seals") that is automatically rendered by 
a browser when a visitor uses the browser (Fig. 5, Numerals 52, 54, 56, and 58, and at Column 2, 
lines 34-44, "browser") to access one or more web pages of the on-line service (Fig. 1 , Numeral 4, 
"Merchant") via a public network (Fig. 1 , Numeral 12, "Network"); and 

a verification service (Fig. 2, Numeral 8, "Certification Service") that hosts the web page object 
(Fig. 2, Numeral 22, "Seal Servers") separately from the one or more web pages of the on-line service 
(Fig. 2, Numeral 4, Merchant's server(s) numeral 4 are separate from the "Seal servers 22" of 
"Certification Service", also refer to Column 3, lines 14-25), and further controls contents of the web 
page object (Column 3, lines 26-42), 

wherein the visitor is not required to take any action other then requesting access to the on-line 
service via the browser to receive the security status through the automatic rendering of the web 
page object by the visitor's browser (Column 2, lines 66-67 and Column 3, lines 1-2, "Merchants 4 
post their corresponding electronic seals on their web sites or in electronic mail messages (emails) in 
order to increase the confidence of potential customers", Note: Since web-page of the merchant 
contains the link of the seal, the seal is generated and displayed on the web-page when client 
generates a request for a web-page from a merchant, client will only need to take further action (i.e. 
click on the seal) if client want "more information" about the seal and merchant, refer to Column 3,line 
14-25) , and 

wherein the verification service causes the contents of the web page object to be changed in 
accordance with its prior determination of a level of the security status (Column 4, lines 60-67 and 
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Column 5, lines 1-7, "When user 6 accesses a merchant 4, client device 10 is directed to retrieve a 
seal from seal servers 22. More specifically, seal servers 22 receive a request from computing 
device 10 that includes a unique identifier for one of the merchants and, therefore, uniquely identifies 
one of the media objects within seal repository 25 (step 52). Seal servers 22 log the request by 
storing the IP address within request log 24 (step 54) and select the appropriate media object 
according to the unique identifier (step 56). "), such that when the verification service determines, in a 
first verification operation prior to the visitor's access request, that the on-line service has a first level 
of the security status, it causes the web page object to have first contents (Column 4, lines 60-67 and 
Column 5, lines 1-7, Seal server provide the electronic seal corresponding to the merchant to the 
client), and when the verification service determines, in a second verification operation prior to the 
visitor's access request, that the on-line service has a different second level of the security status 
(Column 4, lines 49-52, "Next, seal maintenance modules 27 periodically regenerate the media 
objects in order to update the embedded information including the expiration date (Step 48).") , it 
causes the web page object to have different security status levels via the browser's automatic 
rendering of the prior-determined and changed web page object contents when the visitor requests 
access to the on-line service (Column 4, lines 52-54, "For example, a new set of media object can be 
generated daily in order to facilitate detection of expired seals"), and 

wherein the first and second verification operations to determine the on-line service's security 
status and control the contents of the web page object are performed by the verification service prior 
to and completely independently from the visitor's request to access the on-line service, and 
independently from any action by the visitor and visitor's browser (Column 4, lines 28-57, Note: Both 
the seal generation and maintenance are done by certification service and these steps are done 



Application/Control Number: 10/674,878 Page 9 

Art Unit: 2135 

completely independently from the visitor's request to access the on-line service, i.e. visitor's request 
to access the on-line service does not trigger initial seal request operation from merchant (fig. 3) or the 
maintenance which can be done daily) , and 

wherein when the verification service causes the web page object to have at least one of the 
first and second contents, the web page object appears invisible to the visitor after it is rendered by 
the visitor's browser (Column 4, lines 54-57, "In one configuration, seal issuer 8 generated a media 
object having a transparent image when the corresponding merchant 4 loses its certification status, In 
this manner, the seal "disappears" from the merchant web site"). 

Khaishgi discloses changing the seal in response to detecting expiration of the seal (Column 4, 
lines 54-57). Khaishgi does not explicitly discloses: 

wherein the levels of the security status displayed for the visitor via the automatic rendering of 
the web page object indicate how vulnerable devices and services of the on-line service are to 
hackers and other online security threats as determined by the first and second verification 
operations. 

Bates discloses the levels of the security status displayed for the visitor via the automatic 
rendering of a web page object that indicate how vulnerable devices and services of the on-line 
service are to hackers and other online security threats as determined by the verification operation 
(see Fig. 8, Numerals 238 and 240). 

Therefore, it would have been obvious at the time the invention was made to one of ordinary 
skill in the art to scan the online services of Khaishgi and display the level of security indicating how 
vulnerable devices and services of the on-line service are to hackers and other online security threats 
as taught by Bates so that user would know the current status of the on-line service prior to 
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performing any personal transaction with that on-line service which improves the end-user's 
confidence regarding security status of on-line services. 

The combination of Khaishgi and Bates does not disclose wherein at least one of the first and 
second verification operations include determining the security status by comparing a fingerprint of a 
new vulnerability to a stored list of the devices and services and without performing an actual scan or 
test of the devices and services. 

However, Bunker discloses determining the security status by comparing a fingerprint of a new 
vulnerability to a stored list of the devices and services and without performing an actual scan or test 
of the devices and services (paragraph 0019 line 11-14, "The configuration of the new vulnerability 
may be compared to the customer's system network configuration in the last test for the customer. ") 

Therefore, It would have been obvious at the time the invention was made to one of ordinary 
skill in the art further modify the virus scanner of the combined system of Khaishgi and Bates to send 
alert based on information in the stored profile and newly received vulnerability information without 
requiring a new scan, as taught by Bunker so "only customers affected by the new security 
vulnerabilities may receive the alert" (paragraph 0020 lines 1-2) also this kind of configuration 
provides real time security alerts that warns operators to perform appropriate action when new newly 
received security vulnerability can potentially harm their system. 

Regarding Claims 2 and 27, rejections of claims 1 and 21 are incorporated the combination of 
Khaishgi, Bates and Bunker further discloses wherein the on-line service comprises devices and 
services (Fig. 1, Numeral 4, representing web-servers of Merchant 4) and verification service 
determines the security status level of the on-line service (Column 2, lines 44-46, "Seal issuer 8 
verifies the credentials, policies or business practices of each Merchant 4 and issues a corresponding 
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seal of certification to each merchant 4 upon verification.") by evaluating vulnerability scan of the 
devices and services comprising the on-line service (see Bates, Figs. 5 and 6) 

Regarding Claims 9 and 28, rejections of claims 2 and 27 are incorporated and the 
combination of Khaishgi, Bates and Bunker further discloses verification service periodically receives 
result of a new vulnerability scan of the devices and services comprising the on-line service and 
causes the contents of the web page object to be changed it a changed security status level is 
determined, thereby automatically providing the visitor with an updated security status (see Bates, 
Column 13, lines 23-34, and Khaishgi, Column 4, lines 49-57) 

Regarding Claim 22, the rejection of claim 21 is incorporated and the combination of Khaishgi, 
Bates and Bunker further discloses wherein at least one of the first and second verification operations 
includes scanning the on-line service from a remote address on the network (see Khaishgi, Fig. 2, 
Numeral 8, and 4, Verification of Merchant 4 is done from the Certification Server which includes 
Theft Detection Modules 28, Certification Service 8 can be seen remotely located from Merchant 4). 

Regarding Claim 29, the rejection of claim 21 is incorporated and the combination of Khaishgi, 
Bates and Bunker further discloses the web page object comprises an image and an associated URL 
(Column 3, lines 28-31, "Each media object contains media, such as image data, video data, and 
audio data, that merchant 4 presents as an electronic seal of certification." and also at Column 3, 
lines 58-67, URL for the seal). 

Regarding Claim 30, the rejection of claim 21 is incorporated and the combination of Khaishgi, 
Bates and Bunker further discloses the web page object comprises a graphical file whose contents 
are periodically updated in accordance with a periodically determined security status level (Column 3, 
lines 28-31 , "Each media object contains media, such as image data, video data, and audio data, that 
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merchant 4 presents as an electronic seal of certification." and at Column 4, lines 49-57, "Next, seal 
maintenance modules 27 periodically regenerate the media objects in order to update the embedded 
information including the expiration date (step 48). For example, a new set of media objects can be 
generated daily in order to facilitate detection of expired seals.") 

Conclusion 

5. Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to YOGESH PALIWAL whose telephone number is (571)270-1807. The examiner 
can normally be reached on M-F: 7:30 AM - 5:00 PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Kim Vu can be reached on (571 ) 272-3859. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained 
from either Private PAIR or Public PAIR. Status information for unpublished applications is available 
through Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the 
Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information system, call 800- 
786-9199 (IN USA OR CANADA) or 571-272-1000. 

IY. P.I 

Examiner, Art Unit 2135 
/KIMYEN VU/ 

Supervisory Patent Examiner, Art Unit 2135 



